CVE-2023-34237
published 2023-06-07CVE-2023-34237: SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.73%
74.8th percentile
SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process. Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users[exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from `localhost`, with no authentication required for the web interface. This issue has been patched in commits `e3a722` and `422b4f` which have been included in the 4.0.2 release. Users are advised to upgrade. Users unable to upgrade should ensure that a username and password have been set if their instance is web accessible.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | sabnzbdplus | < sabnzbdplus 4.0.2+dfsg-1 (forky) | sabnzbdplus 4.0.2+dfsg-1 (forky) |
| sabnzbd | sabnzbd | — | — |
| sabnzbd | sabnzbd | >= 1.1.0 < 4.0.2 | 4.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation requires access to the SABnzbd web interface; monitor for unauthorized access to the Notification Script 'Parameters' setting, which is the attack vector for RCE. ↗
- →By default SABnzbd listens only on localhost with no authentication. Flag any SABnzbd instance bound to non-localhost interfaces as a high-risk misconfiguration. ↗
- ·The vulnerability is patched in commits e3a722 and 422b4f, included in SABnzbd 4.0.2. Instances running versions prior to 4.0.2 are vulnerable. ↗
- ·Mitigation for users unable to upgrade: ensure a username and password are configured on any web-accessible SABnzbd instance to prevent unauthenticated exploitation. ↗
- ·Debian bookworm and bullseye remain unpatched (open) as of the tracker snapshot; only forky, sid, and trixie have the fix via 4.0.2+dfsg-1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2023-34237: sabnzbdplus - SABnzbd is an open source automated Usenet download tool. A design flaw was disc...
vendor_debian·2023·CVSS 8.1
CVE-2023-34237 [HIGH] CVE-2023-34237: sabnzbdplus - SABnzbd is an open source automated Usenet download tool. A design flaw was disc...
SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process. Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users[exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from `localhost`, with no authentication required for the web interface. This issue has been patched in commits `e3a722` and `422b4f` which have been included in the 4.0.2 release. Users are advised to upgrade. Users unable to upgrade should ensure that a username and p
OSV
CVE-2023-34237: SABnzbd is an open source automated Usenet download tool
osv·2023-06-07·CVSS 9.8
CVE-2023-34237 [CRITICAL] CVE-2023-34237: SABnzbd is an open source automated Usenet download tool
SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process. Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users[exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from `localhost`, with no authentication required for the web interface. This issue has been patched in commits `e3a722` and `422b4f` which have been included in the 4.0.2 release. Users are advised to upgrade. Users unable to upgrade should ensure that a username and p
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cchttps://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-hhgh-xgh3-985rhttps://sabnzbd.org/wiki/configuration/4.0/generalhttps://security.gentoo.org/glsa/202312-11https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cchttps://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-hhgh-xgh3-985rhttps://sabnzbd.org/wiki/configuration/4.0/generalhttps://security.gentoo.org/glsa/202312-11
2023-06-07
Published